Just prior to the Federal Government having to turn all of its attention to preventing the spread of COVID-19 in Australia, it introduced the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (Cth) (Bill) into the Federal Parliament on 5 March 2020. The Bill seeks to amend the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act) by establishing a framework to give effect to “future bilateral and multilateral agreements for reciprocal cross-border access to electronic information and communications data”. The first of such agreements will be the bilateral agreement with the USA under its Clarifying the Lawful Overseas Use of Data Act (the CLOUD Act). The UK finalised a similar CLOUD Agreement with the USA last year.
The Bill has been criticised by many as a further (and unnecessary) expansion of Australia’s already extensive national security laws, particularly as they affect communications providers.
We have put together the following FAQs to help understand the regime intended to be established under the Bill and its implications.
What does the Bill do?
The Bill will allow foreign and local law enforcement agencies to access electronic information from ‘designated communications providers’ in the other jurisdiction, under agreements between Australia and ‘like-minded’ countries. The framework under the Bill provides for the issue of international production orders (IPOs) for interception, stored communications (this would cover a corporate customer’s ‘private network’ data hosted in the cloud) and telecommunications data (essentially metadata).
While the Mutual Assistance in Criminal Matters Act 1987 (Cth) provides for similar access to electronic information and communications data, the framework under the Bill facilitates the issue of IPOs directly to ‘designated communications providers’ in foreign countries with which Australia has a designated international agreement (and vice versa for foreign law enforcement agencies seeking orders in their home jurisdiction against Australian-based providers), bypassing mutual assistance processes between foreign governments.
Who does the Bill affect?
The Bill applies to ‘designated communications providers’, which covers almost every species of service provider on communications networks, including:
- carriers and carriage service providers (such as internet service providers and telephone networks);
- message and call application service providers (such as social media platforms);
- storage and back-up service providers (such as cloud systems providers), and
- general electronic content service provider (such as websites which store data).
Unlike similar terms in the TIA Act – such as ‘carrier’ or ‘carriage service provider’ which are tied to ownership or use of ‘network units’ in Australia – the term ‘designated communications providers’ does not contemplate a geographic nexus with Australia.
There are, however, some limits to the Bill’s extra-territorial reach: a designated communications provider will only need to comply with an IPO where it meets the ‘enforcement threshold’. Nevertheless, this is a low threshold. A designated communications provider will meet it in circumstances in which it can be reasonably demonstrated that it made its service available to a single Australian resident.
Of course, from a general privacy perspective, the Bill also affects the individual(s) who are the subject of the IPO.
Who may apply for an IPO and in what circumstances can they do so?
IPOs may be sought by:
- agencies permitted under the TIA Act to seek warrants for domestic interception or stored communications or authorisations for access to telecommunications data;
- law enforcement agencies for the purposes of investigating a serious criminal offence or monitoring a person subject to a control order so as to protect the public from terrorist acts, prevent support for terrorist acts and hostile acts overseas and detect breaches of the control order; and
- the Australian Security Intelligence Organisation (ASIO) for the purpose of it carrying out its functions.
Where it can be demonstrated that the information sought by the IPO would not likely assist in the ways outlined above, by way of example, this may provide a basis to challenge the issue of an IPO.
How are applications made?
Applications are made to an eligible judge or nominated Australian Administrative Tribunal (AAT) member (decision-maker).
Applications must be in writing and be accompanied by an affidavit noting provision is also made for telephone applications in urgent circumstances.
What matters are considered in issuing an IPO?
In issuing an IPO, the decision-maker must have regard to certain matters. These include:
- the extent to which other methods of investigating that do not involve those contemplated by the IPO have been used, or are available, and in respect of IPOs relating to national security, less intrusive methods have been used, or are available;
- the extent to which such methods would be likely to assist, and prejudice, the investigation; and
- in respect of IPOs which do not relate to national security:
- how much a person’s privacy would be likely to be interfered with;
- how much the information sought would assist in connection with the investigation; and
- the gravity of the conduct constituting the offence.
While the fact that a decision-maker must have regard to these factors affords some degree of protection in respect of important considerations such as privacy and proportionality, the threshold of ‘have regard to’ is low, vague and confers broad discretion on the decision-maker. It does not create pre-requisites for the issue of an IPO. Privacy and proportionality protections could be significantly strengthened by a statutory requirement for the decision-maker to consider these matters in deciding whether to issue an IPO.
This is of concern given that a nominated AAT member, who is not a judicial officer, has the power to issue IPOs - the AAT not being a court, but part of the executive arm of government.
What is the content of an IPO?
An IPO must be signed by the decision-maker who issued it and set out, amongst other things, the date on which the order was issued, the name of the applicant agency, the designated communications provider to whom the order is directed, and the name of the designated international agreement nominated in the application.
An IPO must also set out short particulars of each serious offence in which the decision-maker issuing the order was satisfied justified the issue of the IPO. Or, in the case of an IPO relating to control orders, a statement to the effect that the order is issued on the basis of a control order and the name of the person subject to it. Such information is not required to be set out in IPOs relating to national security.
Details of what is required of the designated communications provider will also be set out.
Minor defects as to form will not invalidate an IPO.
Can you object to, or challenge, the issue of an IPO?
There are limited grounds on which objections or challenges can be made to an IPO, some of which are touched on above, and which otherwise include where there is non-compliance with the designated international agreement and where certain compliance thresholds are not met.
Non-compliance with designated international agreement
The Bill provides one express basis to object to an IPO where the IPO “does not comply with the designated international agreement nominated in the application for the order.” While such agreements are yet to be drafted, the Bill’s Explanatory Memorandum suggests that they will set out:
any limitations on what criminal offences orders can relate to, who may be targeted by an order, what types of data can be sought under an order, and what communications providers an order may be directed to.
Non-compliance with such terms would provide a basis for a designated communications provider to object to the issue of an IPO. The extent to which this provision will afford any meaningful recourse will turn on the terms of any designated international agreements Australia enters into, assuming they are made public.
This basis to object to an IPO is limited to non-compliance with the designated international agreement, it does not contemplate a merits review.
Limits on compliance with IPOs – designated communications providers
The Bill places limits on compliance with IPOs in that a designated communications provider is only required to comply with an IPO “to the extent to which the designated communications provider is capable of doing so.” Extrinsic material relating to similar provisions in other legislation suggests that this limitation is directed at the designated communications provider’s capability from a resources perspective. It would provide little basis not to comply with an IPO particularly where the designated communications provider in question is well resourced.
The designated communications provider must also meet the ‘enforcement threshold’. As discussed above, this is a low threshold.
Difficulties in objecting to or challenging the issue of an IPO
While there are limited bases upon which a designated communications provider may be able to object to or challenge the issue of an IPO, the limited information available at the point in time at which an IPO is issued will make doing so a difficult task.
Designated communications providers are not yet privy to the content of any designated international agreements Australia proposes to enter into, and it is unclear whether they will be made public.
At best, designated communications providers will have to hand ‘short particulars’ of each serious offence, which would seem to be insufficient information to form a view as to whether a decision-maker had failed to have regard to privacy or proportionality considerations, or the IPO had been issued for a purpose inconsistent with the purposes prescribed by the Bill.
When is notice of an IPO given and when can you object to its issue?
A designated communications provider only becomes aware of the existence of an IPO upon the order being issued to it. It is not notified at the point at which an application for an IPO is made. This means that a designated communications provider can only object to or seek to challenge an IPO after it has been issued. At this point, the opportunity to negotiate its terms has been lost and any objection or challenge to the IPO will result in increased costs for both the agency making the application and the designated communications provider.
What are the consequences of non-compliance with an IPO?
The civil penalty for non-compliance with an IPO is considerable, at 238 penalty units, which is ~$50,000. Non-compliance by a body corporate is up to 200 times that amount, which is ~$10 million.
What can be disclosed about an IPO?
There are limited circumstances in which information relating to an IPO – including the existence of an IPO – may be used, recorded or disclosed or admitted into evidence. For example, a designated communications provider may disclose the total number of IPOs given to it during a period of at least six months. The balance of the exceptions, however, largely relate to disclosures in the course of proceedings relating to the underlying offence and the agency’s corresponding investigation. They do not apply to the day-to-day operations of a designated communications provider.
What safeguards are there?
Australian Designated Authority
The Bill establishes the ‘Australian Designated Authority’ which will be charged with:
- ensuring compliance with the designated international agreement nominated in the application for the order;
- acting as an intermediary between applicant agencies and designated communications providers;
- considering objections to IPOs; and
- cancelling IPOs.
It is questionable whether a body such as the ADA, which is involved in both the issue of an IPO and any objections to it, as well as advising the Attorney-General in the performance of their functions in the issuing of IPOs, is sufficiently independent.
The Commonwealth Ombudsman may inspect records of a relevant agency and the ADA to determine compliance with the content of the Bill. The Ombudsman must table the findings of these inspections in an annual report to the Minister.
However, the Commonwealth Ombudsman does not, provide a robust means of oversight due to its current resourcing levels. Indeed, in its submission, the Commonwealth Ombudsman indicates:
While I am broadly comfortable with the oversight role the Bill provides my Office, if the Bill is passed without appropriate funding, my Office will not be able to undertake the activities necessary to assure the Parliament these new powers are being used appropriately. I note that my Office is engaged in conversations with the Government, with funding proposed to be determined in an upcoming budget process.
Public Interest Monitors
Public Interest Monitors (PIMs) currently operate in Victoria and Queensland and serve as an additional safeguard in relation to applications by Victorian and Queensland law enforcement agencies for various warrants, orders or approvals to use certain covert or coercive investigative powers. PIMs may appear at hearings of applications to test the content and sufficiency of information relied upon; question any person giving information in relation to the application; and make submissions as to the appropriateness of granting the application.
Is there a concern about the reach of the Bill?
While there is an identifiable need to assist Australia’s international crime cooperation efforts, and to ensure that Australian laws evolve with changing technologies and the necessary pace of investigations and prosecutions, that need must be balanced against arbitrary or unlawful interferences with privacy. Those burdened by such a framework also need to be afforded appropriate opportunities to object to and challenge orders issued to them and decision-makers should be transparent and accountable.
In this context, for the reasons discussed above, it is understandable that the Bill has been subject to widespread criticism that it falls short in many respects.
What is the status of the Bill?
The Bill is currently being reviewed by the Parliamentary Joint Committee on Intelligence and Security, and the requested reporting date has been extended to 26 June 2020.
Authors: Courtney Robertson and Gus Viola
Our COVID-19 hub collates important articles and legal advice on various aspects of COVID-19 on how it may impact your business.